Steelcon - When Hackers Went North

At the weekend I ventured north of the Watford Gap to attend a security conference which has experienced substantial growth in its short history.

Named Steelcon and held at Sheffield Hallam University, this began in 2014 with 150 delegates, doubled to 300 in 2015 and this year achieved maximum capacity with 450 people attending.

Describing itself as a hacker con “with a northern edge”, the conference welcomed some leading lights from the UK information security scene and after seeing its growth and an impressive 2015 from afar, I was able to grab a ticket and get along to it.

The conference has a great vibe about it, maybe this is because it is held in a well-lit atrium at the University, that it is very child-friendly and has a separate kids track enabling them to learn about app development and lock picking, but maybe it's also because it is held on a Saturday and that feeling of a sunny weekend in July among the delegates. Also the badge is a toy whippet, which the organizers explained was quite a challenge to source 450 for each delegate.

As for the event itself, I managed to switch between the two speaking tracks to catch some of the best known names in security research today, and some lesser known names who may well be better known in the future.

I kicked off with Chris Truncer whose talk on beating anti-virus focused plenty on shellcode, and for this writer without the technical capabilities of those sitting beside me in the room, I did not feel I learned a lot about bypassing anti-virus as I had hoped.

Into track two, and Dr Jessica Barker presented on her research around “imposter syndrome” that I talked to her about at Infosecurity Europe. As a less technical-focused talk on the issues of confidence, fitting in, and even convincing a recruiter that you are right for the job, this was an excellent presentation on a delicate subject.

Barker talked of the “desire to be liked”, and she recommended surrounding yourself with positive people; to be with radiators not drains, and “do anything which pushes you out of your comfort zone.”

Later on I caught technical presentations from Darren Martyn from Xiphos Research, who rated his talk as “18” (all speakers have a BBFC style rating with so many children in attendance) on memory forensics, while after lunch, Proofpoint researchers Wayne Huang and Sun Huang detailed their knowledge of the Northern Gold attacking campaign, who do not target websites in specific regions, primarily because of the use of banking technology in those countries.

They said that the attackers buy WordPress credential lists to spread the Qbot malware to 500,000 infected systems, and they sniffed 800,000 online banking transactions. From December 2015, they started using an exploit kit for Qbot.

Towards the end of this talk people started to filter out towards track two as researcher Scott Helme presented his findings on the Nissan Leaf. He admitted that he was reluctant to call this “hacking as the car was not built with security as one of the design roles.”

Researched along with Troy Hunt, this detailed how a new API framework in the new mobile app was “definitely not secure”. In the case of the Leaf research, Helme said that there was a capability to find any model in the world, change its charging schedule, switch the air conditioning and heating on and using a Python script he had written, alter the battery charge from 95% to 100% over and over in order to potentially void the warranty.

The research was presented to both Nissan and the Information Commissioner’s Office who did not give him the satisfactory response he had wanted. Perhaps the surge in car hacking incidents from responsible, ethical researchers will stir the higher levels of regulation and safety to take notice.

Finishing the day, and continuing the automotive theme, was Chris Ratcliff whose talk “Vorsprung Durch Hacknik” looked at why cars are hackable, and he detailed that no two car manufacturers are the same, and every car starts with a new piece of paper and a way of working where any single component has its own control point.

In one telling slide, Ratcliff revealed that in the time that there had been seven Apple iPhones, there had been one BMW 5 Series model, and with the exception of Tesla, which is a technology company that makes cars, it is heavy industry where parts of cars are bought in and problems arise when those parts have a problem.

“Are manufacturers going to go back and retro-fit?” he asked, predicting that we will see security as a selling point and what is frustrating now is that when a car cannot be upgraded, the public will have to buy a new car that manufacturers like!

The event concluded with “gaffer” Robin Wood declaring that despite selling out the venue, it will remain at the same place. The day concluded with a massive charitable donation, which was doubled later to around £1500 following an extra collection at the after party.

So why does Steelcon matter? It matters as it is an event outside of London, is family friendly, has an excellent venue and offers another strength to the UK information security scene. This was one of the best conferences I had been to in a long while and with all being well on ticket sales, although I imagine there will be a surge to attend in 2017, I will make plans to attend again next year.